Return to Parents

GDPR

Introduction

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018.  This  introduced the most significant changes to data protection law in 20 years.  Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

The new regulation aims to standardise data protection laws and processing across the EU, to provide individuals with stronger and more consistent rights to access, and to better control their personal information.

Our commitment

Panshanger Primary School is committed to ensuring the security and protection of the personal information that we process and to provide a compliant and consistent approach to data protection. We are confident that our current policies and procedures have complied with the existing laws but we have  recognised the need to update these in line with GDPR and the UK’s Data Protection Bill.

We are dedicated to safeguarding the personal information that we process and to develop procedures that are effective and robust.

At Panshanger Primary School we have completed the following actions to ensure maximum and ongoing compliance.

How we have prepared for the GDPR

Our preparation has included:

  • Completing an audit  in order  to identify and access the personal information we hold, why it is processed and if and to whom it is disclosed
  • Policies and procedures – we have revised our  data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
    • Data protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR.
    • Data retention and erasure – we have updated our retention policy and schedule.
    • Data breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and are disseminated to all employees, making them aware of the reporting lines and steps to follow.
    • Subject Access Request (SAR) – we have revised our SAR procedures
  • Legal basis for processing – we have reviewed all processing activities to identify the legal basis for processing and ensured that each basis is appropriate for the activity it relates to.
  • Privacy notices– we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered highly sensitive, or includes special category  data, we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements.
  • Processor agreements – where we use any third-party to process personal information on our behalf (i.e. Payroll, Recruitment, Hosting etc), we have obtained verification from those third-parties that they meet and understand their/our GDPR obligations. These processors include (but are not limited to):
    • Serco
    • DfE
    • HCC
    • Herts Catering
    • Herts for Learning
    • CPOMS
    • TTRS
    • The Spelling Shed
  • Special categories data – where we obtain and process any special category information, we do so in order to fulfil contractual obligations, and in compliance with the Article 9 requirements. We have encryptions and protections on all such data.

Information security and technical and organisational measures

At Panshanger Primary School we take the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures which are provided by Hertfordshire.

GDPR roles and employees

The Governors are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

We already highly value and protect all of our pupils, parents and staff data and will update or practices and procedures to keep up-to-date with current data protection regulations. For further information about GDPR please visit the ICO website.

Ben Longland is our Data Protection Officer (DPO) and it is his role to ensure that the school is complying with the data protection regulation, overseeing the way the school handles data and ensure that requests for data are dealt with in accordance with GDPR.

Contact details: DPO@panshanger.herts.sch.uk

Associated Policies and Documents: